Basis:

Use a minimal due diligence approach: For the low risk end of
the spectrum, where most day-to-day users tend to work, due diligence
approaches and vulnerability testing are adequate to the risk
assessment process. Diligence with respect to not becoming a hazard is
required for any system, and vulnerability testing is a good way to
get a handle on easily repaired problems. These are inexpensive and
reasonable things to do in most cases. Common operating environments
are often used to save on costs of operation and maintenance. At this
end of the risk spectrum, it is easy to accept risks. As long as there
isn't any really serious consequence associated with failures in these
systems, they should be optimized for life cycle cost and business
efficiency.

Use probabilistic risk assessment or covering approaches: As
risks increase, more demands are made on systems to assure the utility
of content. For medium risk situations, many things are
different. Sound change control and accreditation processes are
necessary, configurations should be closely managed, and
infrastructure supporting the application should fall under closer
scrutiny and management. Probabilistic risk analysis may be used for
natural threats, and covering approaches for low threat, medium
consequences is also reasonable.

Do lightweight initial and periodic reassessments:
Lightweight initial and periodic assessments provide a way to achieve
many of the objectives of a protection posture assessment at far lower
initial cost. The notion is that, for situations that are likely to
change rapidly over time, the cost and delay involved in more in-depth
processes is not as good a tradeoff as a series of smaller and faster
assessments. This is particularly useful in situations where a
protection program is being started up or over the period of a major
change. These assessments typically only deal with as-is and future
state and don't include gap analysis or transition planning. They are
normally done every 3-6 months for the duration of the major changes
or until the start-up program becomes mature enough for a more
thorough process. If an independent audit process is used to verify
factual accuracy of assessments, low risk should reassess annually,
and medium risk every 6-9 months.

Use protection posture assessments or expert facilitated
analysis: Protection posture assessments and expert facilitated
analysis are more suitable as the threats increase. While periodic
oversight is acceptable at low threat levels, management must keep
tighter reins and review at a higher rate for higher consequence
systems or systems under more severe threats.

Use scenario-based analysis or systems
analysis: When risks reach into the high end, systemic change
management comes into play with system-wide testing associated with
every significant change. Management rates increase until individual
managers are in real-time control over the highest risk
systems. Scenario-based analysis becomes increasingly important and,
eventually at the highest risk levels, systems analysis becomes
necessary. When risks reach into the high end, systemic change
management comes into play with system-wide testing associated with
every significant change. Management rates increase until individual
managers are in real-time control over the highest risk
systems. Scenario-based analysis becomes increasingly important and,
eventually at the highest risk levels, systems analysis becomes
necessary.

Risk management is the core process underlying reasonable and prudent
decisions about information protection. In order to make prudent
decisions, a risk management process must be put in place. The
question is, what process?